And youhavenewmessages too since it uses the same formatting code.

I couldn't immediately figure out how to patch this issue without breaking formatting of the message itself.

If it's supposed to allow raw HTML, add it to $wgRawHtmlMessages. Otherwise, I think the least disruptive change is to pass it through Sanitizer::removeSomeTags(). Not sure about the performance impact though - Message::parse() does similar sanitization but the result is cached.

Customizations on Wikimedia wikis - apparently quite a few of them make use of raw HTML.

The proposed solution sounds good @Tgr, will you be able to create a patch for this?

In T340221#8959224, @Tgr wrote:

Customizations on Wikimedia wikis - apparently quite a few of them make use of raw HTML.

Given this reality, and that youhavenewmessagesfromusers and youhavenewmessages are part of mw core, these should likely just get added to MainConfigSchema, no? I think that could almost certainly just go through gerrit.

Created a patch that added the messages to list of RawHtmlMessages. Planning to do a security deploy Thursday

In T340221#9011259, @Mstyles wrote:

T340221.patch801 BDownload

Created a patch that added the messages to list of RawHtmlMessages. Planning to do a security deploy Thursday

CR+2, this can get deployed as a core security patch. Since it's not urgent, it can probably wait until the next Monday deployment window. I don't believe this would need the localization caches rebuilt since it's not changing any actual messages. This should also be tracked as a core security issue under T340865 and held for that release, despite it being a fairly minor issue.

@sbassett I'll go ahead and deploy it during the window on Monday. Once it's deployed, I'll go ahead and it to the tracking bug

In T340221#9011259, @Mstyles wrote:

T340221.patch801 BDownload

Created a patch that added the messages to list of RawHtmlMessages. Planning to do a security deploy Thursday

Deployed

Ah, this patch might need a rebase due to: https://gerrit.wikimedia.org/r/c/mediawiki/core/+/936219.

Rebased security patch:

@sbassett thanks for the rebased patch. I have deployed it for 1.41.0-wmf.19

I note neither of these patches have a SECURITY: prefix :)

Will fix for release.

Oh, and while this doesn't matter too much for WMF production... Changes to includes/MainConfigSchema.php need other documentation files updating, otherwise CI would/should complain when we try and push these patches:

As per the docs in the header of includes/MainConfigSchema.php

* @note After changing this file, run maintenance/generateConfigSchema.php to update
*       all the files derived from the information in MainConfigSchema.

For this change:

$ git am ~/T340221.patch
Applying: MainConfigSchema: update RawHtmlMessages
$ php maintenance/generateConfigSchema.php

*******************************************************************************
NOTE: Do not run maintenance scripts directly, use maintenance/run.php instead!
      Running scripts directly has been deprecated in MediaWiki 1.40.
      It may not work for some (or any) scripts in the future.
*******************************************************************************

Writing schema array to /var/www/wiki/mediawiki/core/maintenance/../includes/config-schema.php
Writing variable stubs to /var/www/wiki/mediawiki/core/maintenance/../docs/config-vars.php
Writing schema YAML to /var/www/wiki/mediawiki/core/maintenance/../docs/config-schema.yaml
Writing name constants to /var/www/wiki/mediawiki/core/maintenance/../includes/MainConfigNames.php
$ git diff
diff --git a/docs/config-schema.yaml b/docs/config-schema.yaml
index 50e52ac9abf..721090f8446 100755
--- a/docs/config-schema.yaml
+++ b/docs/config-schema.yaml
@@ -3092,6 +3092,8 @@ config-schema:
             - copyright
             - history_copyright
             - googlesearch
+            - youhavenewmessagesmanyusers
+            - youhavenewmessages
         type: array
         items:
             type: string
diff --git a/includes/config-schema.php b/includes/config-schema.php
index a2d6c76ab0c..754c2018838 100755
--- a/includes/config-schema.php
+++ b/includes/config-schema.php
@@ -624,6 +624,8 @@ return [
                                0 => 'copyright',
                                1 => 'history_copyright',
                                2 => 'googlesearch',
+                               3 => 'youhavenewmessagesmanyusers',
+                               4 => 'youhavenewmessages',
                        ],
                        'Localtimezone' => null,
                        'LocalTZoffset' => null,
$

In T340221#9202803, @Reedy wrote:

Oh, and while this doesn't matter too much for WMF production... Changes to includes/MainConfigSchema.php need other documentation files updating, otherwise CI would/should complain when we try and push these patches:

Actually, I'm incorrect here, as I found out when checking further changes for T341565: CVE-2023-3550: Stored XSS when uploading crafted XML file to Special:Upload (non standard configuration); this does matter for WMF production!

If you only change includes/MainConfigSchema.php, this is actually a no-op, and will have no actual impact, until includes/config-schema.php is actually updated too...

In T340221#9203878, @Reedy wrote:

If you only change includes/MainConfigSchema.php, this is actually a no-op, and will have no actual impact, until includes/config-schema.php is actually updated too...

Ugh, good to know for future mitigations, I suppose. Though we've rarely had to mitigate via includes/MainConfigSchema.php in the past.

Change 961933 had a related patch set uploaded (by Reedy; author: Mstyles):

[mediawiki/core@REL1_35] SECURITY: Add 'youhavenewmessagesmanyusers' and 'youhavenewmessages' to $wgRawHtmlMessages

https://gerrit.wikimedia.org/r/961933

Change 961939 had a related patch set uploaded (by Reedy; author: Mstyles):

[mediawiki/core@REL1_39] SECURITY: Add 'youhavenewmessagesmanyusers' and 'youhavenewmessages' to $wgRawHtmlMessages

https://gerrit.wikimedia.org/r/961939

Change 961946 had a related patch set uploaded (by Reedy; author: Mstyles):

[mediawiki/core@REL1_40] SECURITY: Add 'youhavenewmessagesmanyusers' and 'youhavenewmessages' to $wgRawHtmlMessages

https://gerrit.wikimedia.org/r/961946

Change 961953 had a related patch set uploaded (by Reedy; author: Mstyles):

[mediawiki/core@master] SECURITY: Add 'youhavenewmessagesmanyusers' and 'youhavenewmessages' to $wgRawHtmlMessages

https://gerrit.wikimedia.org/r/961953

Change 961933 merged by jenkins-bot:

[mediawiki/core@REL1_35] SECURITY: Add 'youhavenewmessagesmanyusers' and 'youhavenewmessages' to $wgRawHtmlMessages

https://gerrit.wikimedia.org/r/961933

Change 961939 merged by jenkins-bot:

[mediawiki/core@REL1_39] SECURITY: Add 'youhavenewmessagesmanyusers' and 'youhavenewmessages' to $wgRawHtmlMessages

https://gerrit.wikimedia.org/r/961939

Change 961946 merged by jenkins-bot:

[mediawiki/core@REL1_40] SECURITY: Add 'youhavenewmessagesmanyusers' and 'youhavenewmessages' to $wgRawHtmlMessages

https://gerrit.wikimedia.org/r/961946

Change 961953 merged by jenkins-bot:

[mediawiki/core@master] SECURITY: Add 'youhavenewmessagesmanyusers' and 'youhavenewmessages' to $wgRawHtmlMessages

https://gerrit.wikimedia.org/r/961953

In T340221#8959224, @Tgr wrote:

Customizations on Wikimedia wikis - apparently quite a few of them make use of raw HTML.

Although all of those uses could be replaced with wikitext style for ->parse(), but they would need to be edited.